Damian Ebelties

**Name of the Vulnerable Software and Affected Versions** cosenary Instagram-PHP-API (aka Instagram PHP API V2) as used in the UserPro plugin through 4.9.32 for WordPress **Description** The issue is related to cross-site scripting (XSS) via the `error description` parameter in the `example/success.php` file. This allows for potential exploitation. The vulnerable code snippet is: ```php if (isset($ GET['error'])) { echo 'An error occurred: ' . $ GET['error description']; } ``` A proof-of-concept exploit is demonstrated using the URL `https://domain.tld/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error description=<PAYLOAD>`. **Recommendations** For the UserPro plugin through 4.9.32 for WordPress, consider disabling the `example/success.php` file or restricting access to it until a patch is available. Avoid using the `error description` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.